Why Phishing Works Even If You're Not Normally Stupid

If you spend a lot of time online, you’re probably aware of phishing scams and know what to look out for. In other words, you’re not one of those ignorant types who clicks on links and starts entering personal information without hesitation. Writer and blogger Cory Doctorow is what you might call hyper-vigilant–he keeps unique passwords, uses a VPN when going online in public, and generally knows not to trust strangers. Still, he got phished a couple of weeks ago.

Doctorow’s weak moment was a perfect combination of timing and social cues. He had just wiped his account info from his phone and was therefore primed to be re-entering passwords, the URL was truncated in his phone’s browser, he was running late, and he was expecting a message along the lines of the one the phisher sent. In other words, most of the conditions that made the attack work came about organically and with very natural explanations; the phisher just happened to randomly attack at the right time.

His point is that it’s naive to think you’ll never be vulnerable to a phishing attack, no matter how knowledgeable you are about online scams.

…the stars aligned for that one moment, and in that exact and precise moment of vulnerability, I was attacked by a phisher. This is eerily biological, this idea of parasites trying every conceivable variation, at all times, on every front, seeking a way to colonize a host organism. The net’s complex ecosystem is so crowded with parasites now that it is a sure bet that there will be a parasite lurking in the next vulnerable moment I experience, and the next. And I will have vulnerable moments. We all do.

I don’t have a solution, but at least I have a better understanding of the problem. Falling victim to a scam isn’t just a matter of not being wise to the ways of the world: it’s a matter of being caught out in a moment of distraction and of unlikely circumstance.

Some strategies you can employ to minimize the effects of a successful phishing attack:

Use unique passwords to limit cross-contamination. I wrote about this last year, and readers quickly added a ton of better advice in the comments on that post. You should also check out Lifehacker for good password tips.

Consider using PwdHash. This can be installed as a Firefox add-on or you can use it manually (you can even save the page and js files to disk). It converts your real password into a random string based on the domain you’re visiting. What this means is, if a phisher tricks you into entering your password on a spoofed site, the converted password you enter won’t be valid. See details here.

Don’t make a habit of clicking shortened URLs. Of course, there are going to be times where you just have to know what’s on the other side. There are tools for Firefox and Chrome that will let you expand shortened URLs to see what awaits you, and today I discovered resolves.me, a website that will return the destination link as well as the HTML code.